Change we can believe in?

February 22nd, 2011

Post-RSA, I’ve seen a lot of commentary about how people were disappointed that the conference didn’t reveal more “change” on the part of the security industry. The reasons for this vary – too many Guido-esque sales douches, booth babes with pink hair (!?), the NSA using booth babes (spelled: desperate), overuse of the words “cloud” and “GRC” and “cyber” and….well, the list goes on. All of these are valid observations. And hearing all this noise has brought me back around to a thought I’ve had in the last few months about the nature of the “security community” in general.

I think some people in this industry have forgotten that first and foremost, it’s a JOB. That’s right, as in profession, earning a paycheck, whatever you want to call it. For whatever reason, a good number of people seem to have elevated information security beyond this (in their minds) to a CALLING. Let me be the one to call bullshit. Please. There is absolutely nothing wrong with having passion about what you do for a living. I fall into this camp – I genuinely love security, for the technical challenges, the people challenges, the unwashed (literally, too often) masses at the conferences, and the social camaraderie in many cases, too. But too many are constantly expressing outrage at how we’re not changing. Changing what, exactly?

Should there be more of a focus on application security vs network security? Probably. A good post to get you thinking about this (loosely, granted) can be found on Gunnar Peterson’s blog. Within our industry, that’s something we can rail about. And we do. But this serves as a perfect example of two fundamental truths that seem to be absent in most of the “we need change” conversations. Here they are, with my thoughts:

Security (especially at RSA) is a business. We have been talking for the last few years about “integrating with the business” in our organizations. I don’t care what business you’re in, the first rule of business is making money. And that’s exactly what the vendors are trying to do – make money. So they don’t really give a shit about what the echo chamber thinks – they use “cloud” and “GRC” and all the other buzzwords because they work. People buy stuff. Are they buying the *wrong* stuff? As a corollary, are we trying to solve the *wrong* problems (i.e. network vs app security, etc)? Maybe. But the vendors will go where the money is, and they’ll market their way to profits. If it upsets you, then you’re not really in line with “business” at all. Sorry.

We, as an industry, have absolutely zero control of what our adversaries do. That means that our innovation cycles will always be behind the threats and attacks, and it’s something we need to adjust to. I know, I know, we all pay lip service to this, but the reality is this – the criminals are BANKING right now. So their motivation is really a lot higher than ours in many ways – they want to make huge money, and they don’t want to get caught. We, on the other hand, are trying to prevent data loss/theft and “protect” ourselves and our organizations. It’s a noble effort, true, but will never have the same urgency as someone trying to illegally make millions of dollars quickly.

So what kind of “change” will get us ahead of the threats? That’s really the point of #2 – how do we “change” to get there? I’m not a pessimist by nature, but right now I think this is the wrong thing to be focusing on. I think the RIGHT changes to make are absolutely mental in nature, as Mike Rothman so aptly tweeted to me. Two things we can do:

Focus on doing the best JOB we can. Get off the “holy crusade” tip and go out and secure something. I’ve railed about this for a long time, but we’re all too fascinated by “breakers” vs “builders”, or at least “defenders”. If 99% of the security “community” spent their time fanatically focused on hardening their OS and apps, tuning IDS and other systems (behavioral and otherwise), implementing whitelisting with/instead of AV alone, etc. INSTEAD of worshipping the pen testers and exploit finders, we’d be better off. Let those folks do their thing. But the most good most people can do is by focusing on being the best defenders they can be. This is the mental change we need – do most lawyers, doctors, accountants, engineers, etc treat their jobs as a self-righteous soapbox all the time? No. And many of them are GREAT at their jobs. Less soapbox, more lockdown.

At B-Sides SFO, a few of us were having a conversation about how we could really make a difference to the realm of security. And Josh Corman suggested going outside our own “community” to talk to developers and others. This is probably the best idea out there – they call it the “echo chamber” for a reason…we all talk to EACH OTHER about the problems. We need to go to the developer conferences and local group meetings, the VMware meetings, the SysAdmin meetings, etc. What about teaching everyone at a retirement community about using Facebook “safely”? Teaching elementary school kids about online safety? You get the point – we need to expand our reach. Go evangelize! Just do it to a group that isn’t security people.

This is likely not the only type of “change” we need. I’m certainly no prophet, and I rant in the echo chamber, too. And do pen tests, etc, as well. But it seems like all this disgust at a lack of “change” could be easily remedied by some outbound efforts into other areas, not directed at security vendors and each other.

And someone (I forget who, honestly) suggested going outside our own “community” to talk to developers and others. This is probably the best idea out there – they call it the “echo chamber” for a reason…

Do you think there is a paralysis preventing us from doing this more based around not feeling like an appropriate person to go out and “speak for our industry”? Isn’t this what people who actually have “Evangelist” in their title are supposed to do?

@Marisa Fagan
Marisa, this is a good point. Perhaps we need to mentor people in evangelism, seriously? For *outside* the industry. Most people with “evangelist” in their titles are working for vendors to sell products, so in essence they are evangelizing product to people who will possibly buy them. Nothing wrong with this, but doesn’t really satisfy the need here.

I think the biggest change is mindset- thinking about security as part of an asset, instead of something outside of an asset. Security should be implicit not an added on pizza box or feature. Thinking about security as implicit pre-supposes integration to the asset at hand. Lots of security people know way more about Defcon presentations than how their business generates cash flow or the programming languages their apps are written in or how their database is structured.

Enough evangelism and attending conferences to learn about some obscure attack that you will never see in the real world, corporate security people need to get on with doing their jobs and taking care of the mundane, boring stuff that really make a difference to the security of their organisation.

Do you know of any meatspace business (restaurants, laundromats, universities, jewelry store, etc) that would allow their employees to walk the city with say $500k in cash and jewels on the way to the bank for deposit?

Conversely, do you know of many businesses that DOES NOT allow employees to pull down wires for 6 figures all the time, from their pre-pwned laptop, risking those credentials getting stolen with Zeus and getting cleaned out? With no reimbursement from the banks?

Something is just different about how management/ownership perceives the digital world and the risks there…

@gunnar
Yes, Gunnar. My business partner and I totally resonate with your thought.We are trying to bring about this change through our consulting firm.It’s just that much tougher for us, since we are based out of Bangalore,India.Here,while we have the biggest technology companies,the attitude towards security is exactly the way you have mentioned in your comment.We are onto a real uphill task,but we are confident and passionate about it.

@admin
Do you think security professionals find it difficult to justify their jobs? Afteral,they do not usually form part of the core business in a organisation setup.
Also,while I agree that security professionals should go outside the community,should it also be the other way round,wherein we bring the business and operations guys to talk to us about their challenges?

@Marisa Fagan I think the idea of a “Security Evangelist” is a good one. I think there are small things we each can do to that end. Volunteer to at your school or local community organization to educate them about what they can do to “secure” themselves online and offline.